Personal Data Processing
In Compliance with Moroccan Law No. 09-08 Relating to the Protection of Individuals with Regard to the Processing of Personal Data
1. IDENTITY OF THE DATA PROCESSOR (TECHNICAL SERVICE PROVIDER)
This Privacy Policy governs the personal data processing operations carried out by Musak Leads Media, an agency specialized in conversational automation systems, enterprise communication infrastructure, and artificial intelligence solutions applied to commercial operations.
Within the scope of its services:
- Musak Leads Media acts exclusively as a Data Processor (“Processor” within the meaning of Moroccan Law No. 09-08).
- The subscribing professional client (medical clinic, law firm, real estate agency, e-commerce company, or any other business entity using the services) acts as the Data Controller.
The Processor operates strictly under the documented instructions of the Data Controller and does not independently determine the purposes or essential means of the processing activities.
2. SCOPE OF APPLICATION
This Policy applies to all automated processing activities performed through the following services:
- WhatsApp Business API automation;
- Automated appointment scheduling systems;
- Multilingual AI conversational systems;
- Retrieval-Augmented Generation (RAG) knowledge bases;
- CRM and customer support automation;
- Automated order tracking and notifications;
- Secure communication infrastructure via webhooks and n8n orchestration systems.
3. CATEGORIES OF DATA PROCESSED
As part of the services provided, the following categories of personal data may be processed:
A. Identity and Contact Data
- Full name;
- Phone number;
- Email address;
- Preferred communication language;
- WhatsApp messaging identifiers.
B. Transactional and Operational Data
Depending on the industry sector of the Data Controller:
Medical Sector
- Preferred appointment slots;
- Booking history;
- Administrative consultation-related information.
Legal Sector
- Initial intake notes;
- Consultation requests;
- Preliminary case-related information.
Real Estate Sector
- Geographic preferences;
- Indicative budget range;
- Property type preferences.
E-commerce Sector
- Order identification numbers;
- Delivery status information;
- Customer support interaction history.
C. Sensitive Data
Certain services may involve the processing of sensitive personal data within the meaning of Moroccan Law No. 09-08, including:
- Health-related information processed for medical or dental practices;
- Confidential information transmitted to law firms;
- Voice notes or text messages containing private information.
Such data benefits from enhanced security safeguards, including:
- Database encryption;
- Strict access limitation;
- Secure activity logging;
- Automatic masking of sensitive information;
- Data minimization policies.
4. PURPOSES OF PROCESSING
Personal data is processed exclusively for the following purposes:
- Automation of customer communications;
- Instant appointment scheduling;
- Automated workflow orchestration through n8n;
- AI-assisted multilingual customer support;
- Order tracking and transactional notifications;
- Secure management of professional communications;
- Optimization of response times and user experience;
- Intelligent conversational routing.
No personal data is used by the Processor for resale, independent commercial profiling, or behavioral advertising purposes.
5. LEGAL BASIS FOR PROCESSING
The processing activities performed are exclusively based on:
- The contractual instructions of the Data Controller;
- The execution of services requested by end users;
- Legal obligations applicable to the Data Controller;
- Prior consent where legally required.
The Data Controller remains solely responsible for:
- The lawfulness of the processing activities;
- Informing data subjects;
- Mandatory CNDP regulatory formalities;
- Specific authorizations relating to sensitive data processing.
6. DATA RETENTION AND PURGE POLICY
In accordance with the data minimization principle established under Moroccan Law No. 09-08, the Processor applies a strict limited-retention policy.
Retention Periods
Conversation logs, automation histories, transactional logs, and temporary AI processing content are automatically:
- deleted;
or - irreversibly anonymized
within a maximum period of thirty (30) days from the date of collection.
Operational Exception
Certain data may be temporarily retained where strictly necessary for:
- Maintaining an upcoming appointment;
- Executing an ongoing service;
- Complying with a legal obligation imposed upon the Data Controller.
Upon expiration of such operational necessity, the data is automatically purged.
7. INTERNATIONAL DATA TRANSFERS
(Compliance with Articles 43 & 44 of Law No. 09-08)
As part of its cloud-based infrastructure, certain data may transit through internationally recognized technology sub-processors, including:
- Meta Platforms, Inc.;
- OpenAI LLC.
These operations may involve cross-border data transfers outside the Kingdom of Morocco.
The Processor implements reinforced technical safeguards, including:
- TLS/HTTPS encrypted communications;
- Secure API infrastructure;
- Cryptographic webhook validation;
- Segregated access controls;
- AES-256 database encryption.
However, the Data Controller remains solely responsible for:
- Obtaining any required CNDP authorizations;
- Ensuring compliance for cross-border data transfers;
- Verifying the legality of international data flows.
8. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Processor applies high cybersecurity standards to protect the integrity, confidentiality, and availability of personal data.
Technical Measures Implemented
- AES-256 encryption for stored data;
- TLS/HTTPS secure communications;
- Secure webhook validation;
- Access logging and monitoring;
- Sensitive data masking;
- API key rotation;
- Restricted privileged-access controls;
- Segmented technical environments;
- Secure backup procedures.
Organizational Measures
- Strict confidentiality obligations;
- Restricted access for authorized personnel only;
- Internal security procedures;
- Contractual access limitations;
- Principle of least privilege.
9. RIGHTS OF DATA SUBJECTS
In accordance with Moroccan Law No. 09-08, all data subjects are entitled to the following rights:
A. Right of Access
Any individual may request confirmation regarding:
- The existence of processing activities;
- The categories of data held;
- The purposes of the processing.
B. Right to Rectification
Any individual may request:
- Correction;
- Updating;
- Or deletion
of inaccurate or incomplete personal data.
C. Right to Object
Any individual may object to the processing of their personal data on legitimate grounds.
Within the framework of automated WhatsApp communications, users may exercise this right at any time by sending:
“STOP”
or any equivalent opt-out instruction.
D. Exercise of Rights
Requests relating to data subject rights must primarily be addressed to the relevant Data Controller (clinic, law firm, agency, or business entity using the services).
The Processor shall assist the Data Controller in handling such requests in accordance with its contractual obligations.
10. CONFIDENTIALITY AND NON-DISCLOSURE
The Processor undertakes to:
- Never process personal data for its own purposes;
- Never disclose personal data to unauthorized third parties;
- Maintain strict confidentiality obligations with all authorized personnel.
No personal data is sold, rented, or commercially exploited.
11. RESPONSIBILITIES OF THE DATA CONTROLLER
The Data Controller acknowledges and accepts that it remains exclusively responsible for:
- Obtaining all required consents;
- Completing CNDP declarations or authorization requests;
- Informing end users;
- Ensuring the legality of collected data;
- Legally supervising sensitive data processing activities.
The Processor acts solely as a technical service provider executing the Controller’s documented instructions.
12. MODIFICATIONS TO THIS POLICY
This Privacy Policy may be amended at any time in order to:
- Reflect regulatory developments;
- Reinforce security measures;
- Adapt the technical infrastructure used.
The applicable version shall be the version communicated by the Data Controller or published through official contractual channels.
13. GOVERNING LAW AND COMPETENT AUTHORITY
This Privacy Policy is governed by Moroccan law, including:
- Moroccan Law No. 09-08 relating to the protection of personal data;
- Decisions and recommendations issued by the CNDP.
Any dispute relating to personal data processing shall fall under the jurisdiction of the competent Moroccan courts.